Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

do not use trusted forest name to construct domain admin principal #40

Closed
wants to merge 1 commit into from
Closed

do not use trusted forest name to construct domain admin principal #40

wants to merge 1 commit into from

Conversation

martbab
Copy link
Contributor

@martbab martbab commented Aug 31, 2016
edited by MartinBasti

When trust-add is supplied AD domain admin name without realm component, the
code appends the uppercased AD forest root domain name to construct the full
principal. This can cause authentication error, however, when external trust
with non-root domain is requested.

We should instead use the supplied DNS domain name (if valid) as a realm
component.

https://fedorahosted.org/freeipa/ticket/6277

do not use trusted forest name to construct domain admin principal
ebce3c0 
When `trust-add` is supplied AD domain admin name without realm component, the
code appends the uppercased AD forest root domain name to construct the full
principal. This can cause authentication error, however, when external trust
with non-root domain is requested.

We should instead use the supplied DNS domain name (if valid) as a realm
component.

https://fedorahosted.org/freeipa/ticket/6277
@abbra
Copy link
Contributor

abbra commented Aug 31, 2016

NACK. This is wrong.
In the case of external trust to a child domain we cannot run netr_DsRGetForestTrustInformation() against the child domain, regardless what credentials we have. Instead, we should run this request against the forest root domain using the credentials specified by the user.

@martbab
Copy link
Contributor Author

martbab commented Aug 31, 2016

I am under the impression that the problem you describe (https://fedorahosted.org/freeipa/ticket/6057) is orthogonal to the issue reported in this particular ticket. Yes we need to ask the forest root DCs for the forest topology information, but we need to get the right credentials in the first place.

If the user is establishing an external trust against e.g child domain but the code assumes that he wants to authenticate as the forest root domain admin instead of child domain admin it is an issue that can and should be handled separately.

@abbra
Copy link
Contributor

abbra commented Aug 31, 2016

Apologies. This is indeed a minor issue which is correctly fixed, so ACK for this one.
Note, though, this will not help with the actual query because regardless of what credentials were used, AD DC of a child domain behaves wrongly in Windows Server 2012R2 by not following MS-NRPC 3.5.4.7.5.

@abbra abbra added the ack Pull Request approved, can be merged label Aug 31, 2016
@MartinBasti
Copy link
Contributor

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/f32e0e4e522e09390f4295dd79f52d7a48877d3a

@MartinBasti MartinBasti added the pushed Pull Request has already been pushed label Aug 31, 2016
@martbab martbab deleted the t_6277 branch September 8, 2016 15:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
ack Pull Request approved, can be merged pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
3 participants
@martbab @abbra @MartinBasti